A comprehensive approach to protecting computer users from security threats may involve not only detecting and circumventing attacks but also identifying the source of the attacks. By applying such an approach, computer security systems may be able to quickly identify future attacks originating from the same source or following the same pattern. In addition, computer security systems may compile security data about certain attacks to identify the source and then share the security data with law enforcement organizations to assist with prosecutions.
The people and organizations behind these attacks typically leave identifiable traces and/or patterns in their work. For example, a phishing attack may include emails that originate from the same or similar email addresses. These emails may include the same addresses and/or phone numbers. Additionally or alternatively, the subject lines and/or bodies of the emails may include similar patterns of words, punctuation, and/or misspellings.
Unfortunately, analyzing security data to identify these patterns may prove to be a daunting task. Security databases may include billions of records of security events, and conventional computer security systems may be unable to identify certain patterns of security threats, much less identify the sources of such threats, by simply searching these records for repeated data. The instant disclosure, therefore, identifies and addresses a need for improved systems and methods for identifying security threat sources responsible for security events.